NewForTech

Home » Latest » News » Experts Warn React’s ‘Worst Case Scenario’ Vulnerability Could Be Exploited Soon, So Fix It Now

Experts Warn React’s ‘Worst Case Scenario’ Vulnerability Could Be Exploited Soon, So Fix It Now

0 hits

Closing the cybersecurity skills gap
2 minutes

Written by

Tech Insider (NewForTech Editorial Team)

in

  • React critical bug (CVE-2025-55182) enables RCE before authentication in React server components
  • It affects versions 19.0-19.2.0 and frameworks like Next, React Router, Vite; Fixes released in 19.0.1, 19.1.2, 19.2.1
  • With a near 100% success rate, experts warn that exploitation is imminent; Urgent updates are highly recommended.

React is one of the most popular JavaScript libraries powering much of the internet today. Researchers recently discovered a very serious vulnerability. This flaw allows even poorly trained threat actors to execute malicious code (RCE) on vulnerable instances.

Earlier this week, the React team published a new security advisory detailing a pre-authentication flaw in multiple versions of multiple packages that affected React server components. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0 of React-Server-Dom-Webpack, React-Server-Dom-Parcel, and React-Server-Dom-Turbopack.

The bug is now tracked as CVE-2025-55182 and has been assigned a severity rating of 10/10 (Critical).

Exploitation is imminent, there is no doubt about it

This bug also affected the default configurations for several React frameworks and packages, including Next, React-Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

Versions 19.0.1, 19.1.2, and 19.2.1 fixed the bug, and React encourages all users to apply the fix as soon as possible. “We recommend an immediate update,” the React team said.

That’s why the recordReact supports almost two out of five cloud environments, so the attack surface is large to say the least. React is trusted by Facebook, Instagram, Netflix, Airbnb, Shopify and other giants of today’s internet, as well as millions of other developers.

Benjamin Harris, founder and CEO of exposure management tool provider watchTowr, told the publication that the vulnerability is “undoubtedly” being exploited in the wild. In fact, he believes abuse is “imminent,” especially now that the warning has expired.

Wiz has successfully tested the flaw and says that “exploitation of this vulnerability was highly accurate with a near 100% success rate and can be used for full remote code execution.”

In other words, it’s not time to give up: fixing this mistake should be everyone’s top priority.

IN the record